When 340 high school students figured out how to remove mobile device management software from their iPads they did more than gain access to social networks and banned websites. They exposed what can go wrong with Apple's approach to supporting companies and schools looking to deploy and manage thousands of iPads.

Thank you

Sorry

Last week, more than 300 students across three high schools in the Los Angeles Unified School District (LAUSD) brought their school-issued iPads home and hacked into them, probably to download juicy blacklisted apps and access banned websites.

Well, "hacked" might be a strong word. Students simply removed their mobile device management (MDM) software profile—an easy enough thing to do—which also got rid of Apple's Global Proxy that ensures traffic goes through a Web filter. It wasn't much of a hack, rather a couple of finger taps.

The Los Angeles Times reported the story, which was picked up by other media, and LAUSD suddenly found itself in hot water. Headlines screamed: "Students find ways to thwart school iPad security" (rtv6) and "Students gleefully teach admins that mobile device management is hard" (Ars Technica).

Seemingly caught by surprise, LAUSD threw together an official response. Superintendent John Deasy quickly ordered a moratorium on allowing iPads to leave campus until the district could make sure that the problem was solved and that students would use the devices safely and appropriately.

In truth, we don't know; LAUSD would not respond to questions. But our best guess is that LAUSD had come to a fork in the road in its massive iPad rollout and was forced to choose the lesser of two evils. One path required a lot of work, the other was less secure. In the background, Apple was working on a fix that would render a decision moot. LAUSD took the latter path, hoping Apple's fix would come soon.

The gamble didn't pay off, and LAUSD took some bad press. To be fair, the sensationalism overshot the severity. After all, 340 high school students had access to unfiltered iPads for a single evening. By removing MDM profiles, students triggered an automatic alert to the IT department, and the matter was probably resolved the next school day. No big deal.

Students Teach Apple a Lesson

But the entire episode is worth analyzing as a bold chapter in the fast-evolving story of iPads in the enterprise. It's an example of what can go wrong with Apple's on-again-off-again love affair with companies and schools trying to support thousands of iPads.

Earlier this summer, LAUSD told the Los Angeles Times that it was spending $30 million to provide 35,000 iPads to students in 47 schools. Then CIO.com sister site CITEworld broke the news that this was only the first leg of a much larger rollout. The master plan called for all 640,000 students to have an iPad by the end of next year—one of the largest deployments of its kind.

"We're targeting kids who most likely don't have their own computers or laptops or iPads," Mark Hovatter, chief facilities executive for LAUSD, told CITEworld. "Their only exposure to computers now is going to be in their schools."

School districts across the country are feeling the iPad craze, although not to the level of LAUSD. For instance, Lexington School District One (LSDO) in South Carolina started a large iPad rollout in 2011 and today is up to 17,000 iPads, including 7,000 for high school students.

Apple has been feeding the frenzy, too. Last year, Apple unveiled iBooks 2 for the iPad, a storefront for multimedia high school textbooks. Apple has special programs set up for education; schools can purchase iPads in 10-packs, while companies must buy individually wrapped iPads.

Both LSDO and LAUSD wanted their students to be able to bring iPads home. The thinking goes, if you give a person a sense of iPad ownership, then great things will happen. Students could use iPads for off-hours tutoring, homework and late-night studying.

Allowing iPads outside the corporate network, however, raises the bar on security. The school districts bought MDM software that would restrict students from using, say, iMessage or downloading apps rated 17+ from the Apple App Store. The school districts also wanted content filtering in the form of Apple Global HTTP Proxy, which blocks Facebook, Twitter, YouTube (except for educational content) and other sites.

LSDO chose MobileIron as its MDM vendor and LAUSD chose AirWatch. The problem with MDM is that it's made for a company's BYOD crowd. MDM was designed for employees to easily opt in and opt out. When an employee opts out and essentially un-enrolls from the BYOD program, an alert is sent to IT. The employee simply loses access to corporate assets.

In order to prevent students from opting out of MDM, LAUSD most likely relied on written policies. That is, students and parents probably signed an agreement that they would not opt out of their MDM profiles. For employees in a corporate setting, there are repercussions for violating such an agreement, ranging from a bad mark on a performance review to termination.

Repercussions for high school students? Not so much. LAUSD's policy-driven approach was akin to hanging a "Do Not Enter" sign on a gym door; kids will still sneak in to play basketball. In other words, LAUSD should not have been surprised when hundreds of students opted out of MDM.

Securing iPads in the Field

Today, there's not much you can do to prevent users from opting out of their MDM profiles and losing some security over iPads. But MDM is only half the story, because it represents only half the security measures.

The other half, Apple Global HTTP Proxy, introduced in iOS 6, could have maintained content filtering at LAUSD high schools, but it didn't. A plausible reason is that LAUSD appears to have deployed Global HTTP Proxy under MDM, not Apple Configurator.

Global HTTP Proxy needs to be under the supervision of either MDM or Apple Configurator. If it's under MDM, Global HTTP Proxy vanishes when the MDM profile is un-enrolled. If it's under Apple Configurator, there's an option to restrict profiles from being removed. Apple Configurator and Global HTTP Proxy cannot be removed unless the iPad is wiped.

"The biggest takeaway is, if you supervise the device and put [Apple Configurator] on there, you can prevent it from being removed," explains Thomas Burgess, network engineer at LSDO. "That's what we do with Global Proxy on our devices."

So why didn't LAUSD use Apple Configurator? Apple didn't really design Apple Configurator for large iPad rollouts. If you deploy iPads with Apple Configurator, iPads become static. For instance, there are no over-the-air configuration capabilities. If changes need to be made to iPads, IT will have to physically touch each device—a near-impossible task in LAUSD's rollout of tens of thousands of iPads.

Having deployed iPads with Apple Configurator, LSDO's Burgess lives with this risk every day, albeit a slightly lesser one because LSDO's iPad deployment is much smaller than LAUSD's. Luckily, LSDO hasn't had to make hands-on changes to iPads.

LSDO has faced other issues, such as non-content filtering iPads prior to the release of iOS 6-Global HTTP Proxy and students downloading Snapchat, which lets them share photos or videos and then deletes the content after a certain time. LSDO has had to discipline students for trying to undermine security, as well as tweak user policies.

Finding the Teachable Moment

There's no question LAUSD was caught between an un-scalable Apple Configurator and an easily disabled MDM as supervisory options for Global HTTP Proxy. In hindsight, LAUSD should have prevented iPads from leaving the campus in the first place. While on the corporate network, iPads can be watched more carefully and MDM un-enrollment can be flagged and addressed on the spot.

On the other hand, AirWatch CEO John Marshall believes that the security breach, far from threatening, can be a teachable moment. "I think the lesson is, if you're going to remove the MDM profile, you'll lose the device for a period of time," he says. "Part of learning is not breaking policy and becoming a good digital citizen."

LAUSD's decision not to use Apple Configurator can be summed up as a case of bad timing. Earlier this year, at its Worldwide Developers Conference, Apple quietly unveiled plans for making this dilemma go away.

A summary of the plan is available to developers under non-disclosure, but basically it's a streamlined device enrollment program. If an iPad is in the program, Apple will auto-enroll the device to the assigned company's MDM software (along with Global HTTP Proxy) and supervise the iPad, thus taking Apple Configurator out of the picture. Critically, the MDM profile can't be removed.

But Apple hasn't shipped the program yet, nor given a timetable for when companies and schools can expect it. For LAUSD, it didn't come soon enough.